Transcription
Information Commissioner’s OfficeInformationgovernancestrategy 2014-16Page 1 of 16
Contents1.0Executive summary2.0Introduction3.0ICO’s corporate plan 2014-174.0Regulatory environment5.0Scope6.0Information governance aims7.0Deliverables8.0Roles and responsibilitiesVersion 1.0May 20141
1.0 Executive summaryThis strategy describes the ICO’s information governance aims anddeliverables for the next two years.It confirms the ICO’s commitment to compliance with information rightslegislation. It also confirms our commitment to good practice through theimplementation of, and adherence to our own guidance.It sets out an approach that will deliver all of the essential complianceelements, in a way that also actively enables and supports the delivery ofcorporate objectives, and exploits opportunities for business benefits. It isan approach that will be flexible and responsive to new or changedoperational requirements, and that will enable the organisation to takeproportionate risk.It demonstrates how effective information governance can help us tomake the best use of our information, and as a consequence, assist in thedelivery of our objectives and the improvement of our business processes.It is an approach which will further our corporate objectives to be openand transparent about what we do, and to be accountable for the actionswe take. It will give confidence to those who provide personal informationto us that their information will be managed appropriately.The Information Governance team will set out and communicate ourinformation governance strategy and champion the informationgovernance agenda. Engaging with business areas across the ICO it willensure that corporate information governance policy is reviewed and thatit properly aligns with business and operational requirements. The teamwill work with, and provide specialist advice and support to our staff andInformation Asset Owners (IAO). The Information Governance team willactively engage with the Good Practice teams to share experience andexamples of good practice and to ensure that messages conveyedexternally are consistent with our internal processes.This strategy excludes the ICO’s obligations in relation to the handling ofinformation requests made to the ICO under the Data Protection Act 1998and the Freedom of Information Act 2000.Version 1.0May 20142
2.0 IntroductionThis strategy covers the period 2014-16 and describes the continuingdevelopment, implementation and embedding of a robust informationgovernance framework needed for the effective management andprotection of the ICO’s information.Information governance describes the approach within whichaccountability, standards, policies and procedures are developed andimplemented, to ensure that all information created, obtained or receivedby the ICO is held and used appropriately.The ICO has a responsibility to manage and protect a wide range ofinformation including: information provided by individuals relating to their concerns abouthow their personal information has been processed; information obtained by the ICO during the course of ourinvestigations; information obtained in order to produce a public register of datacontrollers; information about our development of policy and guidance; information obtained during the audit process; and information which supports the running of our organisationincluding records relating to staff and our IT.3.0 ICO corporate plan 2014-17In the corporate plan 2014-17 the ICO describes its goal as achieving asociety in which all organisations who collect and use personal informationdo so responsibly, securely and fairly. We want all those who handleinformation: to routinely meet their legal obligations in the way they respond topeople exercising their rights; to have a high level of awareness of all their wider obligations underinformation rights law with those obligations routinely met inpractice; andVersion 1.0May 20143
to ensure that good information rights practice is embedded into theculture and day to day processes of organisations and into emergingtechnologies and systems.In our corporate objectives we commit to continually reviewing andimproving our own compliance with information rights legislationunderpinned by our value of being a model of good practice and notasking others to do what we are not prepared to do ourselves.This information governance strategy is a clear statement of the ICO’scommitment to compliance with information rights legislation anddemonstrating good practice. It demonstrates our investment and supportfor this business priority.The strategy describes our commitment to ensuring effective informationgovernance as a means to enable our business, to ensure we can makethe best use of our information and to provide a solid foundation toenable us to be open and transparent about what we do.At the same time it takes account of, and supports the ICO’s operationalobjectives and ensures that a balance is struck between operational andcompliance objectives.4.0 Regulatory environmentThe context in which the ICO operates is unusual. We are subject to thelaws for which we are responsible being a data controller with obligationsset out in the Data Protection Act 1998 and a public authority withobligations under the Freedom of Information Act 2000. We are in effectour own regulator.The legal and regulatory framework is outlined below and includes:The legislation regulated by ICO: The Data Protection Act 1998The Freedom of Information Act 2000The Environmental Information Regulations 2004Privacy and Electronic Communications Regulations 2003Other related legislation: The Public Records Act 1958The Re-use of Public sector Information Regulations 2005Computer Misuse Act 1990Version 1.0May 20144
Regulation of Investigatory Powers Act 2000Related guidance and codes of good practice: Security Policy Framework (Cabinet Office).Public Service Network (PSN) Code of Connection.The ICO’s published guidance and codes of practice.We will continue to monitor the progress of any new EU data protectionregulation or changes in UK law and respond promptly to any change.5.0 ScopeThis strategy includes within its scope: management of the life cycle of the ICO’s records and informationfrom creation or receipt to disposal or transfer to The NationalArchives for permanent preservation; information security; and the collection, management and use of personal informationcreated, received or obtained by the ICO.This strategy excludes the ICO’s obligations in relation to the handling ofinformation requests made to the ICO under the Data Protection Act 1998and the Freedom of Information Act 2000.Contact details for the information access team are provided here(internal link only) and are also on our website.6.0 Information governance aimsThe ICO’s six information governance aims are outlined here. Deliverablesto support the achievement of these aims are described in section 7.0.Achievement of these aims will deliver essential compliance elements butwill also enable and support our business and deliver business benefits.6.1 PolicyWe will implement information governance policies which are embeddedin the day to day operations of the ICO and which are compliant withrelevant legislation, standards and codes of practice and demonstrategood practice.Version 1.0May 20145
We will implement risk based information governance policies which areclear, accessible, and flexible and aligned with business requirements.6.2 AwarenessWe will ensure that there is a high level of staff and supplier awareness ofinformation governance policy and processes to help achieve complianceand to reduce the risk of non-compliance through human error.We will foster a culture of personal responsibility, ownership andcommitment to high standards in information handling to support andenable our business processes.6.3 Monitoring and assuranceWe will ensure that there are processes in place to check whetherinformation governance policy is being implemented and to measure theeffectiveness of the control environment.We will work with the business areas and Information Asset Ownersprompting feedback about the practical operation of policy. We willrespond and make changes where necessary. The InformationGovernance team and Good Practice teams will work together to shareexperience gained internally and externally and to maximise theopportunity to learn from examples of good practice. We will work withthe Good Practice teams to assess our effectiveness in implementing theICO’s own published guidance.6.4 Records and information managementWe will ensure that effective processes are in place to manage ourrecords and information. From creation or receipt through to disposal, wewill meet our obligations under the Public Records Act and the recordsmanagement guidance set out in the code of practice issued under s46 ofthe Freedom of Information Act.The effective management of our records and information will ensure thatwe know what information is available to us and where it is stored. It willenable us to promptly retrieve information, saving time, effort andelectronic and physical storage space. It will also enable us to respondpromptly to information requests, and through the timely publication ofinformation, increase our openness and transparency about what we do.6.5 Information securityWe will implement information security policies which take account oflegislative requirements, HMG guidance and the codes of connection weVersion 1.0May 20146
are subject to, but which are appropriate, proportionate, measured andpart of business as usual.We will work with the business areas to ensure that information securitypolicy is aligned with operational requirements finding solutionsappropriate to the ICO’s risk appetite. We will support our staff byensuring that information security policy and processes are clear andaccessible, that help and guidance are available when needed, and byproviding appropriate training to minimise the risk of human error.6.6 Collection and use of personal informationPersonal information received or obtained by the ICO is managed andused responsibly, securely and fairly.We will promote transparency and openness about how we handlepersonal information providing confidence to the individuals and thirdparties who pass personal information to us.7.0 DeliverablesThe deliverables to support the achievement of the ICO’s informationgovernance aims over the next two years are outlined here.7.1 PolicyDeliveringcomplianceA review of all informationgovernance policyPolicies whichachieve legalcompliance,demonstrate goodpractice and are inaccordance with theICO’s own publishedguidanceBusinessbenefits andopportunitiesOpportunities for thebusiness to input tothe review processand to ensure thatrevised informationgovernance policy isclear and fullyaligned withbusiness andoperationalrequirements7.2 AwarenessDeliveringcomplianceVersion 1.0May 2014Business benefitsand opportunities7
Communication andpromotion of the revisedinformation governancepolicies to IAO’s, staff andthird parties who work withthe ICOHigh levels ofawareness tominimise risks ofnon-compliancethrough humanerrorInformation tailoredto job roles andbusiness processesDeveloped and implementedtraining programme for IAOsLocal ownershipand accountabilityfor informationgovernance issuesdriving complianceDesignated informationsecurity and recordsmanagement weeks to raiseawareness and promptdiscussionIncreasingawareness tominimise risk ofhuman error andnon-complianceDevelopmentopportunity forindividuals and theopportunity todevelop an IAOforum to discussand shareexperience andgood practiceOpportunity to raiseissues, shareexperience andseek clarification7.3 Monitoring and assuranceA developed andembedded integratedassurance frameworkas part of business asusual with twiceyearly selfassessments.A review of the preemploymentpersonnel securitycheck process and theadoption of anyrecommendations.A review of ITprocesses includingtaking and storing ITback up media andthe disposal of ITequipment and theadoption of anyVersion 1.0May 2014DeliveringcomplianceA tool to provideassurance to theSIRO and auditcommittee and tomonitor complianceAppropriateorganisationalmeasures in place tosatisfy therequirements ofprinciple 7Appropriate technicaland organisationalmeasures are inplace to satisfy therequirements ofprinciple 7Business benefits andopportunitiesStructured opportunity forIAO’s to considerinformation governancecompliance. Anopportunity to identify andaddress corporate issuesidentified by IAO’sReduced risk of employinginappropriate staffpotentially saving timeand costsConfidence thatinformation will beavailable to the businesswhen required andinformation will besecurely disposed of whenno longer required8
recommendations.Physical securitymeasures are tested,validated and assuredby audit.Appropriate technicaland organisationalmeasures are inplace to satisfy therequirements ofprinciple 7Reassurance to staff abouttheir safety in theworkplace and minimisingthe risk of securityincidents interruptingbusiness continuity7.4 Records and information managementCompliance with theretention and disposalschedule for noncasework recordsDeliveringcomplianceSupports compliancewith principles 3,4and 5 and the codeof practice issuedunder s46 of FOIAWell defined records andinformation managementrequirements fed into theproject to replace MeridioEnsures replacementsystem is capable ofcompliance withrelevant legislationProcedures developed forthe annual transfer ofrecords to the NationalArchivesMeeting ourobligations under thePublic Records ActReport on the issueswhich the ICO needs toaddress regarding digitalobsolesce.Meeting ourobligations under thePublic Records ActPaper files are beingstored and managed inaccordance with theICO’s policySupports theimplementation ofS46 guidance (FOIA)and satisfies therequirements ofVersion 1.0May 2014Business benefitsand opportunitiesEasier, quicker accessto current records andinformation savingtime and effort andmaking best use ofelectronic and physicalspace.Opportunity to use thebusiness experienceand lessons learnedfrom our first EDRMSimplementation to feedinto and influence therequirements for areplacement system.Promotes ourcommitment totransparency and,openness. Opportunityto ensure the processfor selecting recordsfor transfer is clearand minimises futurework to review recordsEnsuring businesscontinuity and futureproofing ourinformationEase of access toinformation andprompt retrieval whenrequired. Making bestuse of physical space.9
Naming conventions areconsistently applied tothe ICO’s records andinformationThe roles of the LocalRecords Officers andLocal Records OfficerForum are refreshedPromote transparencyand openness throughthe timely publication ofthe ICO’s informationprinciples 3,4,5 and7Supportsimplementation ofS46 guidance (FOIA)and supports thehandling ofinformation requestsSupports delivery ofcompliance with allrelevant legislationSupporting theprinciples ofopenness andtransparency set outin the FOIAInformation can belocated promptly whenrequired and best usecan be made of theinformation we holdOpportunity for staff todevelop new skills, toshare experience andgood practice and topromote the benefitsof good informationmanagement at thelocal level.Helps to manage theexpectations ofstakeholders, provideinformation and insightinto our operationalactivities and savetime by avoidingrepeat informationrequests7.5 Information securityDeliveringcomplianceSatisfying therequirements ofprinciple 7 and theSecurity PolicyFrameworkEmbedded new GovernmentClassification Scheme (GCS)with good awareness of andimplementation of the handlingguidance for all types of theICO’s informationImplementation of secure email Satisfying theor the right tools for securerequirements ofinformation sharingprinciple 7Review of currentarrangements for securemobile workingVersion 1.0May 2014Satisfying therequirements ofprinciple 7Deliveringbusiness benefitsClearstraightforwardbaseline controlsreducingcomplexityProviding a securemechanism forsharing informationwith third partiesNew opportunitiesto consider andimprove thebusinessexperience ofmobile working.10
A physical security review ofthe off-site storage facility withany recommendations adoptedSatisfying therequirements ofprinciple 7A fully tested secure IT disasterrecovery solution to ensure thecontinued availability of theICO’s information in the eventof an incidentSatisfying therequirements ofprinciple 7Successful annual PSN code ofconnection return and annualRMADS accreditationSatisfying therequirements ofprinciple 7 and thePSN code ofconnectionSatisfying therequirements ofprinciple 7Processes for ensuring that ITaccess is provided on a need toknow basis are workingeffectivelyEnsuring businesscontinuity withinformation beingavailable whenrequiredEnsures thecontinuedavailability of theICO’s informationin the event of anincident.Continuity ofexternal email andconnection to theinternetLicence costs couldbe reduced,opportunities forimprovedproductivity if staffonly have access toapplications andsoftware requiredto carry out theirrole.7.6 Collection and use of personal informationInformation governancerequirements are consideredin any new or changed ITsystems, business processesor new initiatives whichinvolve the collection anduse of personal informationand privacy impactassessments are carried outwhere necessaryThe ICO is clear about how ituses and manages theVersion 1.0May 2014DeliveringcomplianceSatisfying therequirements ofprinciple 1Satisfying therequirements ofDeliveringbusiness benefitsAn opportunity tobuild in informationgovernanceconsiderations at anearly stage savingtime and costs andgiving confidence todata subjects byensuring thatprivacy impactassessments havebeen carried outwhere necessaryGives confidence toindividuals and third11
personal informationcaptured as a consequenceof carrying out its statutoryfunctionsprinciple 1parties that the ICOis properlymanaging andprotecting thepersonal informationwhich it handles8.0 Information governance roles and responsibilitiesExecutive TeamSeniorInformation RiskOwner (SIRO)Information GovernanceSteering GroupInformation GovernanceTeamIndependentExternal SecurityContractInformation AssetOwnersLocal RecordsOfficersIT SecurityWorking GroupPhysical SecurityWorking Group8.1 Senior Information Risk Owner (SIRO)The ICO’s SIRO is the Director of Corporate Services who is a member ofthe ICO’s Executive Team. The SIRO has responsibility for sponsoring andpromoting information governance policy.8.2 The Information Governance Steering Group (IGSG)The IGSG is chaired by the SIRO. The responsibilities of the IGSG include: agreeing information governance policy;considering any lessons learned;monitoring progress on the delivery of the information governancestrategy;Version 1.0May 201412
identifying information governance risks and ensuring appropriatemitigation is in place;ensuring any issues relating to the regional offices are addressed;andidentifying and discussing any new business initiatives which mayhave information governance impacts.The membership of the group is the Director of Operations, the Head ofGood Practice, the Head of IT, the Information Governance GroupManager and as agenda items dictate the Information Asset Owners, theInformation Security Manager and the Lead Records Management Officer.8.3 The Information Governance teamThe Information Governance team is located within the Good Practicedepartment under the leadership and direction of the Head of GoodPractice. The team consists of the Information Governance GroupManager, the Information Security Manager, the Lead RecordsManagement Officer and the Information Governance Officer providingsupport to the team.The team is responsible for: the development and implementation of an effective strategy todeliver sound and compliant information governance practicesacross the ICO;the development and promotion of information governance policy;ensuring the ICO’s Information Asset Owners (IAO’s) are aware ofand understand the information governance strategy and policies,and have a good understanding of their role and responsibilities;providing advice and assistance to the IAO’s to ensure that localprocedures are in place to underpin and implement informationgovernance policy;leading and coordinating the work on the ICO’s IntegratedAssurance Framework which provides assurance relating to theeffectiveness of the ICO’s information governance controlframework and to mitigate corporate risk;to ensure there is awareness of the policy for managing securityincidents, ensure any incidents are logged, investigated andrecommendations implemented;maintaining positive relationships regarding information governancematters with relevant external bodies eg TNA, Cabinet Office, CESG;andVersion 1.0May 201413
providing input and feedback to Policy Delivery on emerging policylines.8.4Information Asset Owners (IAO’s)The ICO has twelve IAO’s who are heads of departments and who haveresponsibility for the information being created, received or obtained bytheir department. Their responsibilities include: ensuring that the ICO’s policy is implemented in the businessprocesses for which they are responsible;ensuring that their staff are aware of the information governancepolicies that affect them and that they attend or complete trainingas required;fostering a culture of personal responsibility and commitmentrelated to information governance matters in their department;andcompleting and submitting bi annual self-assessments whichmeasure their levels of assurance against a range of controlmeasures.8.5 The ICO’s staffAll the ICO’s staff have a personal responsibility to: handle information in accordance with information governancepolicy;attend security induction training and continue to attend orcomplete training as required;understand that failure to comply with information governancepolicy is treated seriously and can lead to disciplinary action; andreport security incidents or weaknesses.8.6 Independent external security contractThe ICO has an independent security contract in place to provideindependent assurance and validation of IT information security practiceand controls.This contract provides independent advice and challenge in relation to thesecurity of our IT environment and the work of our IT suppliers.8.7 IT Security Working Group (SWG)The SWG manages security across the ICO IT platform with the aim ofidentifying, understanding and controlling any information risks in lineVersion 1.0May 201414
with the ICO’s information risk appetite. The SWG is the forum where allIT security stakeholders meet and make decisions in line with HMG andthe ICO’s policy. It is responsible for: approving and maintaining the ICO’s Accreditation MaintenancePlan;managing the ICO’s accreditation activities including the RiskManagement Accreditation Document Set (RMADS) and compliancewith the PSN Code of Connection;monitoring recorded information risks and the implementation andeffectiveness of associated controls;monitoring IT security incidents;approving the ICO’s code of connection with third party suppliers;andadvising on the ICO’s system and network developments andproviding security input to projects and programmes. 8.8 Physical Security Working GroupThe Facilities team are responsible for the implementation andmanagement of physical security policy and controls at Wycliffe House.The information governance team are responsible for ensuring that therequirements of the ICO’s policy and any relevant standards areunderstood and inform the implementation of physical security controls.The Physical Security Group meets to discuss any physical securityincidents and issues. The group’s responsibilities are: defining physical security controls;carrying out periodic security inspections;assessing the ICO’s current physical security controls and makingany recommendations for change; andreviewing physical security incidents.Version 1.0May 201415
information requests made to the ICO under the Data Protection Act 1998 and the Freedom of Information Act 2000. Contact details for the information access team are provided here (internal link only) and are also on our website. 6.0 Information governance aims The ICO's six information governance aims are outlined here. Deliverables
